***********************************************
Interlanguage Compiler in SELinux Policy Editor
***********************************************

ܥɥȤϡSELinux Policy Editor ָ쥳ѥ
(ʲѥ)˴ؤ򵭺ܤƤޤ


1. Ȥ

    ʲǤϡѥΥ󥹥ȡǥ쥯ȥ $installpath 
      Ƥޤ
    
    SELinux Policy Editor ˤϤ줿ե򥳥ѥ
    ˤmake ޥɤѤޤ
    
        $ cd $installpath/
        $ make
    
    make ޥɤ¹Ԥ뤳ȤˤꡢʲΥե뤬ޤ
    
        $installpath/policy/middle.conf
        $installpath/policy/policy.conf
        $installpath/policy/file_context
    
    middle.conf m4ޥˤޥŸΥեǡι⤤
    եǤpolicy.conf m4ޥˤޥŸΥե
    ޥϰʲΥե򻲾ȤƤ
    
        $installpath/macros/*
    
    SELinuxѥޥɤǤ checkpolicy, load_policy, setfiles ˤ
    policy.conf 뤤 file_context ꤹ뤳ȤǡƥФ
    ƥƥݥꥷꤹ뤳ȤǤޤ


2. λ

2.1. 

    ե domain 뤤 role ñ̤ȤʤäƤޤdomain 
    νפϡglobal domain ɬܤǤǤ domain 
    ǤϡƤ domain ˶̤ŬѤ򵭽Ҥޤ
    
    ¤Ϥ٤ơ֤Ǥϡֵݡפξ֤ˤªޤ
    եǤɬפʸ¤ͿʤФʤޤ

2.2. ʸˡ

    domain 뤤 role δܹ¤ʲ˼ޤ
    
        {
        domain(뤤 role) ...
        users ...
        domain_trans ...
        allow ...
        deny ...
        allow*** ...
        }
    
2.2.1. domain 뤤 role 

    (1) domain 
    
        [  ]
        
            domain < domain ̾ >;<  >
            
        [ ̣ ]
        
            domain ̾ޤâƱ2İʾ
            ƤϤޤ󡣤ޤdomain ̾ "_t" ǽλƤɬ
            ޤ
            
            < domain ̾ > "global" Ȥȡ٤Ƥ domain ˶
            ŬѤȤߤʤޤ
        
        [  ]
        
            "global"Ȥ̾Τΰ domain ϺǤޤ
    
    (2) role 

        [  ]
        
            role < role ̾ >;<  >
        
        [ ̣ ]
        
            role ̾ޤâƱ2İʾ
            Ϥޤ󡣤ޤrole ̾ "_r" ǽλƤɬפ
            ޤ

2.2.2. user ʸ

    [  ]
    
        user < 桼̾ ;<  >
        
    [ ̣ ]
    
        ʸϡߤΥ role Ƥ˸¤
        뤳ȤǤޤ
        
        ߤΥƤ role ôȤĤ桼
        ޤ
        
2.2.3. domain 

    [  ]
    
        domain_trans  < ܸ domain > < ץ̾ >;<  >
        
    [ ̣ ]
    
        < ܸ domain > ǲưƤץब < ץ̾ >
        ¹Ԥݤˡ¹Ԥ줿ץϸߤΥ
        Ƥ domain ǲưޤ

2.2.4. ̾եФ륢

    ʲ˵󤲤եФƤϡȼΥ٥ưŪͿޤ
    
        /dev/tty*
        /dev/pts
        /dev/ptmx
    
    (1) allow ʸ
    
        [  ]
        
            (a) allow < ե̾ > | < ̾ > [r],[w],[x],[s];<  >
            (b) allow < ǥ쥯ȥ > exclusive < ̾ >;<  >
            
            
            - ѥ᡼ΰ̣ ----------------------------------------
            
                r : ɤ߹
                w : 񤭹
                x : ¹
                s : ǥ쥯ȥꥵե˻ꤷƤ̣Ϥʤ
                    ե  ꤷˤϾ  
                    ꤷƤʤȡѥ꤬ʤ
                    դɬפǤ
            
            -----------------------------------------------------------
        
        [ ̣ ]
        
            ߤΥƤ domain Фơե
            Ф륢Ĥޤ
            
            
            (a) domain ȥեȤδ֤ǥѡߥåޤ
                Ū allow ʤ¤ꥢϵĤ
                
                
                < ե̾ >ˤϥǥ쥯ȥꤹ뤳ȤǤޤ
                ǥ쥯ȥꤷ硢Υ֥ǥ쥯ȥФ
                Ƥ⥢¤Ѿޤ¤Ѿ
                ʤˤϡallowonly ѤƤ
            
            (b) SELinux Ǥ file_type_auto_trans ޥޤ
                ץबΥǥ쥯ȥ겼˥ץѥե
                뤬ե̾ϺޤǤ
                ˡ< ̾ >뤳ȤˤꡢƱե
                ̤뤳ȤǤޤ
                
                ˡ/var/run  /var/log ˺ե
                ŪѤޤ
                
                ޤˤäơ< ǥ쥯ȥ > Ф
                ե븢ȡƱեФ񤭹
                ¤Ϳޤ
                
                < ǥ쥯ȥ >ˤǤեФ¾ domain 
                뤳ȤϽ֤ǤϵĤޤ
                ĤˤϡŪɬפ
                ޤ
    
    (2) deny ʸ
    
        [  ]
        
            deny < ե̾ >;<  >
        
        [ ̣ ]
        
            allow ʸˤ̵ݤޤ
            
            㤨Сǥ쥯ȥΤФ allow 򤷤
            ˡβΥե뤢뤤ϥǥ쥯ȥФ륢
            ̤˵ݤޤ
            
            < ե̾ >ˤϥǥ쥯ȥꤹ뤳ȤǤޤ
            ǥ쥯ȥꤷ硢Υ֥ǥ쥯ȥФƤ
            ¤Ѿޤ¤Ѿʤ
            ˤϡdenyonly ѤƤ
            
            ޤߤΥƤ domain  "global" 
            Ǥ硢ʸѤ뤳Ȥǡ domain Ƕ̤
            ƵݤǤޤ㤨С
            
                deny /etc/shadow;
            
            Ƥȡ domain Ǥ /etc/shadow Ф
            Ĥʤʤޤ㳰Ū domain 
            ФƤΥեؤΥĤ٤ˤϡ 
            domain ˤŪ˰ʲͤɬ
            פޤ
            
                allow /etc/shadow r,s;
            
    (3) allowonly ʸ
    
        [  ]
        
            allowonly < ե̾ > [r],[w],[x],[a],[s];<  >
        
        [ ̣ ]
        
            domain ȥեȤδ֤ǥѡߥåޤ
            
            < ե̾ >ˤϥǥ쥯ȥꤹ뤳ȤǤޤ
            ǥ쥯ȥꤷ硢Υ֥ǥ쥯ȥФƤ
            ¤Ѿޤ󡣥¤Ѿ
            ˤϡallow ѤƤ
        
    (4) denyonly ʸ
    
        [  ]
        
            denyonly < ե̾ > [r],[w],[x],[a],[s];
        
        [ ̣ ]
        
            allow ʸˤ̵ݤޤ
            
            < ե̾ >ˤϥǥ쥯ȥꤹ뤳ȤǤޤ
            ǥ쥯ȥꤷ硢Υ֥ǥ쥯ȥФƤ
            ¤Ѿޤ󡣥¤Ѿ
            ˤϡdeny ѤƤ
        
2.2.5. allow  deny ʸͥ

    (1) allow  deny  global 
    
        "global" domain ǡallow  deny ʸ
        ޤ
    
    (2) allow  deny ͥ
    
        Ʊǥ쥯ȥФ븢Ǥϡ"global" domain ˤ
        ⡢ domain ˤͥ褵ޤ
        
        
            1) "global" domain Ӱ domain ˤƱǥ쥯ȥ
                 Ф륢
                 
                "global" domain : allow /usr r;
                "a_t"    domain : allowonly /usr w
                
                "a_t" domain ϡ/usr Ф w ¤/usr/*** 
                Ф r ¤ġ
            
            2) "global" domain Ӱ domain ˤƱǥ쥯ȥ
                 Ф륢
                 
                "global" domain : allow /usr r;
                "a_t"    domain : allow /usr w
                
                "a_t" domain ϡ/usr Ф w ¤/usr/*** 
                ФƤ w ¤ġ
        
        
        ֥ǥ쥯ȥФ륢椬ŪƤ
        硢"global" domain Ӱ domain δطʤ
        ֥ǥ쥯ȥФͥ褵ޤ
        
        
            1) ֥ǥ쥯ȥФ륢椬Ū
                 Ƥ
                
                "a_t" domain : allow /usr r;
                               allow /usr/local w;
                
                "a_t" domain ϡ/usr Ф r ¤/usr/local 
                Ф w θ»ġ
            
            2) ֥ǥ쥯ȥФ륢椬Ū
                 Ƥ
                
                "global" domain : allow /usr/local w;
                "a_t"    domain : allow /usr r;
                
                "a_t" domain ϡ/usr Ф r ¤/usr/local 
                Ф w θ»ġ
        
        
        2.2.4.(1)Ǥ< ̾ >Ф륢Ĥϡ< ǥ쥯ȥ >
        Ф륢Ĥ w ȤʤäƤ褦Ȥ⡢< ̾ >Ф
        Ū allow Ƥʤ¤ꡢ¾Υץ
        ϵݤޤ
        
        domain ˤơƱΥե뤢뤤
        ǥ쥯ȥФʣ allow ʤ줿ˤϡ
        Ƥƥѡߥå OR 黻Ԥޤâdeny 
        ¸ߤˤϡdeny ͥ褵ޤ

2.2.6. ͥåȥطΥ

    (1) allownet ʸ
    
        [  ]
        
            (a) allownet;<  >
            (b) allownet -raw;<  >
            (c) allownet -wellknown;<  >
            (d) allownet (-tcp | -udp) -port < ݡֹ >;<  >
            (e) allownet (-tcp | -udp) -allport;<  >
        
        [ ̣ ]
        
            ͥåȥѤĤޤ
            
            (a) tcp  udp 1024ְʾΥݡȤλѤĤޤ
            (b) raw åȤλѤĤޤ( icmp Ȥʤ)
            (c) Wellknown ݡȤѤΰ٤ΥѥӥƥͿޤ
            (d) 1024ְʲΥݡȤѤͽ󤷤ޤ
                ͽ󤵤줿ݡȤ¾ domain ȤˤϡŪ
                ɬפޤ
            (e) ͽ󤵤ƤʤƤ1024ְʲΥݡȤȤȤ
                ޤ
        
        [  ]
        
            ʸϼäȤǤʤ١"global" domain 
            ݤˤդƲ

2.2.7. ץ̿Υ

    (1) allowcom ʸ
    
        (a) å
        
            [  ]
            
                allowcom -tcp | -udp | -unix < ̿ domain >;<  >
            
            [ ̣ ]
            
                < ̿ domain >ФƤ줾ΥåȤȤä
                ̿Ĥޤ
                
                < ̿ domain >"global"ꤵȡ domain 
                Ф̿Ĥޤ
        
        (b) IPC
        
            [  ]
            
                allowcom -sem | -msg | -msgq | -shm | -pipe < ̿ domain >  [r],[w];<  >
            
            [ ̣ ]
            
                < ̿ domain >Ȥδ֤Ǥ줾ˤ
                ץ̿Ĥޤ
                
                < ̿ domain >ˤϼʬȤ򼨤"self"ǽ
                Ǥޤ"global"ꤵȡ domain Ф
                ץ̿Ĥޤ
        
        (c) ʥ
        
            [  ]
            
                allowcom -sig <  domain > [c],[k],[s],[o];<  >
                
                
                - ѥ᡼ΰ̣ -----------------------------------
                
                    c : sigchld
                    k : sigkill
                    s : sigstop
                    o : ¾
                
                ------------------------------------------------------
                
            [ ̣ ]
            
                <  domain >ФƤ줾Υʥ
                ޤ
                
                <  domain >"global"ꤵȡ domain 
                Ф륷ʥĤޤ

2.2.8. üؤΥ

    ǥեȤǤϡȤüؤΥϵĤƤޤ
    
    (1) allowtty ʸ
    
        [  ]
        
            (a) allowtty -create;<  >
            (b) allowtty < role ̾ > [r],[w];<  >
            (c) allowtty -change < domain >;<  >
        
        [ ̣ ]
        
            üǥХ /dev/tty* ؤΥꤷޤ
            
            (a) ʬ domain ̾ͭü뤳ȤĤޤ
            
            (b) < role ̾ > role ǥ󤷤Ƥ桼ü
                ɤߤȤꡢ񤭹ߤ뤤ϤξĤޤ
                
                < role ̾ >Ф"general"ꤵ줿硢٥
                դ /dev/tty  /dev/tty* ؤΥ
                ޤ
                
                < role ̾ >Ф"global"ꤵ줿硢٤Ƥ
                üФ륢Ĥޤ
            
            (c) < domain >ͭüФơ٥ΤϤ꤫Ĥ
                ޤ"general"ꤵ줿硢٥뤬դü
                Υ٥դĤޤ
        
    (2) allowpts ʸ
    
        [  ]
        
            (a) allowpts -create;<  >
            (b) allowpts -change < domain >;<  >
            (c) allowpts < domain or role > [r],[w];<  >
        
        [ ̣ ]
        
            üǥХ /dev/pts/* ѤǤ⡼ȥ
            Ϣ˻Ѥޤ
            
            (a) ߤΥƤ domain ʳ domain 
                Ƥ domain ǵü뤳Ȥ
                ޤ
            
            (b) üϤȤĤޤʥ٥ΤϤ꤫ˡ
                Ѥ뤳Ȥǡ role ⡼Ȥ
                󤹤뤳Ȥݤ뤳ȤǤޤ
            
            (c) üؤΥꤷޤ
            
            < domain >"general"ꤹ뤳Ȥǡ٥դü
            Ф륢椬ǽǤ

2.2.9. proc ե륷ƥؤΥ

    [  ]
    
        allowproc -self | -other | -system | -kmsg | -proc [r],[w];<  >
    
    [ ̣ ]
    
        -self : ʬȤΥץ̣ޤ
        
        -other : ¾ΥץΥץ̣ޤ
        
            Υץˤ륢ʤ硢
              ps ޥɤ¾Υץξϸޤ󡣤ޤPID 
              ʬʤ kill 뤳ȤǤʤʤޤϡ
              ץ򱣤ȤǤ뤳Ȥ̣ޤʤ
              "global" domain ǤǤޤ
        
        -system : /proc/sys  /proc/net ʤɤΥƥ̣ޤ
        
            ̾ԤϤξФƽ񤭹ߤɬפǤޤ
            ̥ץǤɤߤ߸¤ɬפˤʤޤ
            
            w ˤ硢SELinuxꥸʥޥǤ can_sysctl 
            ޥθ¤Ȥʤޤ
            
            r ˤ硢SELinuxꥸʥޥǤ 
            general_proc_read_access θ¤Ȥʤޤ( proc/kmsg 
            ФƤ stat θ¤Ϳޤ)
            
            ʤ/proc/kcore Ф񤭹߸¤Ϳ뤳ȤϤǤ
            
            
        -kmsg : /proc/kmsg Ф븢¤ꤷޤ
        
            ̾ klogd Τߤɤ߹߲ǽꤷޤ
            
        -proc : /proc Τ¾Υե̣ޤ
        
            ̤proc_t̾ĤƤեФ륢
            ޤ

2.2.10. tmpfs Υ

    [  ]
    
        (a) allowtmpfs -create;<  >
        (b) allowtmpfs < domain > [r],[w];<  >
    
    [ ̣ ]
    
        tmpfs ϶ͭ˻Ȥ롢RAMΥե륷ƥǤ
        /dev/shm ˺ޤ(RedHat7.2)
        
        (a) tmpfs ˼ʬΥץѤΥե뤳ȤĤޤ
        
        (b) < domain >ä tmpfs Ф륢Ĥޤ
        
            < domain >"general"ꤵ줿硢٥դ 
            tmpfs Ф륢Ĥޤ"global"ꤵ줿
            ˤϡ٤Ƥ tmpfs Ф륢Ĥޤ

2.2.11. allow ʸʳʸͥ

    allow ʸʳʸǤϡ"global" domain Ϳ¤Ǥä
    ȤϤǤޤ
    
    ) "global" domain Ȱ domain ǽʣ줿
    
        "global" domain : allowtty < xxxxx > r;
         domain     : allowtty < xxxxx > w
        
        嵭ξ硢"global" domain Ǥ  ˲äơw Ϳޤ

2.2.12. 

    [  ]
    
        allowadm [relabel],[chsid],[avc_toggle],[load_policy],[net],[boot],[insmod];<  >
    
    [ ̣ ]
    
        relabel :
        
            ƤΥ٥ĥĤޤ
            
        chsid :
        
            ʬǤեΥ٥봹Ĥޤ
            
        avc_toggle :
        
            development ⡼ɤǤ avc_toggle ޥɤλѤĤ
            
            
        load_policy :
        
            ݥꥷ򥫡ͥФɤ߹ߤĤޤ
            
        net :
        
            arp  route ơ֥񤭴ץߥ㥹⡼
            ͥåȥδĤޤ 
            
        boot :
        
            ֡ȤĤޤ
            
        insmod :
        
            ͥФ⥸塼ɤ߹ߤĤޤ
            
        quotaon :
        
            ǥͭ뤳ȤĤޤ
            
        swapon :
        
            åפͭ뤳ȤĤޤ
            
        mount :
        
            ե륷ƥΥޥȤĤޤ
            
        raw_io :
        
            /dev/mem 䡢ǥХեФ raw_io Ĥޤ
        


